David,
I strongly suggest that you do what you can to figure out whether you were hacked or not.
My suggestions:
1. Disable inetd or xinetd after you have made sure that the latest SSH daemon always starts at boot. If there are other services, such as POP3 or sendmail, that are running on the system, start them at boot time as well.
2. Install AIDE and run it nightly. This is a similar program to tripwire and works the same way. Set up properly, it will detect changes to system files.
3. A rule about accounts, should you need to use FTP, POP3 or any other service that does not encrypt passwords over the network: set the login to be /sbin/nologin or whatever RedHat has set up as the setting for disallowing logins. Accounts that can login to the server should never use insecure protocols like POP3; accounts that use insecure protocols should not be able to login.
4. Install IPF or use ipchains to only allow traffic on the ports you specify, such as 22 (ssh) , 80 (http), 443 (https).
There are many other things you can do as well, such as mounting /var and /home with noexec,nosuid , etc.
Hope this helps!
